actionmcp 0.52.2 → 0.54.0

data/db/migrate/20250512154359_consolidated_migration.rb

@@ -11,16 +11,16 @@ class ConsolidatedMigration < ActiveRecord::Migration[8.0]
         t.string :status, null: false, default: 'pre_initialize'
         t.datetime :ended_at, comment: 'The time the session ended'
         t.string :protocol_version
-        t.jsonb :server_capabilities, comment: 'The capabilities of the server'
-        t.jsonb :client_capabilities, comment: 'The capabilities of the client'
-        t.jsonb :server_info, comment: 'The information about the server'
-        t.jsonb :client_info, comment: 'The information about the client'
+        t.json :server_capabilities, comment: 'The capabilities of the server'
+        t.json :client_capabilities, comment: 'The capabilities of the client'
+        t.json :server_info, comment: 'The information about the server'
+        t.json :client_info, comment: 'The information about the client'
         t.boolean :initialized, null: false, default: false
         t.integer :messages_count, null: false, default: 0
         t.integer :sse_event_counter, default: 0, null: false
-        t.jsonb :tool_registry, default: []
-        t.jsonb :prompt_registry, default: []
-        t.jsonb :resource_registry, default: []
+        t.json :tool_registry, default: []
+        t.json :prompt_registry, default: []
+        t.json :resource_registry, default: []
         t.timestamps
       end
     end
@@ -36,7 +36,7 @@ class ConsolidatedMigration < ActiveRecord::Migration[8.0]
         t.string :direction, null: false, comment: 'The message recipient', default: 'client'
         t.string :message_type, null: false, comment: 'The type of the message'
         t.string :jsonrpc_id
-        t.jsonb :message_json
+        t.json :message_json
         t.boolean :is_ping, default: false, null: false, comment: 'Whether the message is a ping'
         t.boolean :request_acknowledged, default: false, null: false
         t.boolean :request_cancelled, null: false, default: false
@@ -98,15 +98,15 @@ class ConsolidatedMigration < ActiveRecord::Migration[8.0]
       end
 
       unless column_exists?(:action_mcp_sessions, :tool_registry)
-        add_column :action_mcp_sessions, :tool_registry, :jsonb, default: []
+        add_column :action_mcp_sessions, :tool_registry, :json, default: []
       end
 
       unless column_exists?(:action_mcp_sessions, :prompt_registry)
-        add_column :action_mcp_sessions, :prompt_registry, :jsonb, default: []
+        add_column :action_mcp_sessions, :prompt_registry, :json, default: []
       end
 
       unless column_exists?(:action_mcp_sessions, :resource_registry)
-        add_column :action_mcp_sessions, :resource_registry, :jsonb, default: []
+        add_column :action_mcp_sessions, :resource_registry, :json, default: []
       end
     end
 
@@ -132,7 +132,10 @@ class ConsolidatedMigration < ActiveRecord::Migration[8.0]
 
     return unless column_exists?(:action_mcp_session_messages, :direction)
 
-    change_column_comment :action_mcp_session_messages, :direction, 'The message recipient'
+    # SQLite3 doesn't support changing column comments
+    if connection.adapter_name.downcase != 'sqlite'
+      change_column_comment :action_mcp_session_messages, :direction, 'The message recipient'
+    end
   end
 
   private

data/db/migrate/20250608112101_add_oauth_to_sessions.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class AddOAuthToSessions < ActiveRecord::Migration[8.0]
+  def change
+    # Use json for all databases (PostgreSQL, SQLite3, MySQL) for consistency
+    json_type = :json
+
+    add_column :action_mcp_sessions, :oauth_access_token, :string
+    add_column :action_mcp_sessions, :oauth_refresh_token, :string
+    add_column :action_mcp_sessions, :oauth_token_expires_at, :datetime
+    add_column :action_mcp_sessions, :oauth_user_context, json_type
+    add_column :action_mcp_sessions, :authentication_method, :string, default: "none"
+
+    # Add indexes for performance
+    add_index :action_mcp_sessions, :oauth_access_token, unique: true
+    add_index :action_mcp_sessions, :oauth_token_expires_at
+    add_index :action_mcp_sessions, :authentication_method
+  end
+end

data/lib/action_mcp/client/oauth_client_provider/memory_storage.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module ActionMCP
+  module Client
+    class OauthClientProvider
+      # Simple in-memory storage for development
+      # In production, use persistent storage
+      class MemoryStorage
+        def initialize
+          @data = {}
+        end
+
+        def save_tokens(tokens)
+          @data[:tokens] = tokens
+        end
+
+        def load_tokens
+          @data[:tokens]
+        end
+
+        def clear_tokens
+          @data.delete(:tokens)
+        end
+
+        def save_code_verifier(verifier)
+          @data[:code_verifier] = verifier
+        end
+
+        def load_code_verifier
+          @data[:code_verifier]
+        end
+
+        def clear_code_verifier
+          @data.delete(:code_verifier)
+        end
+
+        def save_client_information(info)
+          @data[:client_information] = info
+        end
+
+        def load_client_information
+          @data[:client_information]
+        end
+      end
+    end
+  end
+end

data/lib/action_mcp/client/oauth_client_provider.rb

@@ -0,0 +1,234 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "pkce_challenge"
+require "securerandom"
+require "uri"
+require "json"
+
+module ActionMCP
+  module Client
+    # OAuth client provider for MCP client authentication
+    # Implements OAuth 2.1 authorization code flow with PKCE
+    class OauthClientProvider
+      class AuthenticationError < StandardError; end
+      class TokenExpiredError < StandardError; end
+      attr_reader :redirect_url, :client_metadata, :authorization_server_url
+
+      def initialize(
+        authorization_server_url:,
+        redirect_url:,
+        client_metadata: {},
+        storage: nil,
+        logger: ActionMCP.logger
+      )
+        @authorization_server_url = URI(authorization_server_url)
+        @redirect_url = URI(redirect_url)
+        @client_metadata = default_client_metadata.merge(client_metadata)
+        @storage = storage || MemoryStorage.new
+        @logger = logger
+        @http_client = build_http_client
+      end
+
+      # Get current access token for authorization headers
+      def access_token
+        tokens = current_tokens
+        return nil unless tokens
+
+        if token_expired?(tokens)
+          refresh_tokens! if tokens[:refresh_token]
+          tokens = current_tokens
+        end
+
+        tokens&.dig(:access_token)
+      end
+
+      # Check if client has valid authentication
+      def authenticated?
+        !access_token.nil?
+      end
+
+      # Start OAuth authorization flow
+      def start_authorization_flow(scope: nil, state: nil)
+        # Generate PKCE challenge
+        pkce = PkceChallenge.challenge
+        code_verifier = pkce.code_verifier
+        code_challenge = pkce.code_challenge
+        @storage.save_code_verifier(code_verifier)
+
+        # Build authorization URL
+        auth_params = {
+          response_type: "code",
+          client_id: client_id,
+          redirect_uri: @redirect_url.to_s,
+          code_challenge: code_challenge,
+          code_challenge_method: "S256"
+        }
+        auth_params[:scope] = scope if scope
+        auth_params[:state] = state if state
+
+        authorization_url = build_url(server_metadata[:authorization_endpoint], auth_params)
+
+        log_debug("Starting OAuth flow: #{authorization_url}")
+        authorization_url
+      end
+
+      # Complete OAuth flow with authorization code
+      def complete_authorization_flow(authorization_code, state: nil)
+        code_verifier = @storage.load_code_verifier
+        raise AuthenticationError, "No code verifier found" unless code_verifier
+
+        # Exchange code for tokens
+        token_params = {
+          grant_type: "authorization_code",
+          code: authorization_code,
+          redirect_uri: @redirect_url.to_s,
+          code_verifier: code_verifier,
+          client_id: client_id
+        }
+
+        response = @http_client.post(server_metadata[:token_endpoint]) do |req|
+          req.headers["Content-Type"] = "application/x-www-form-urlencoded"
+          req.headers["Accept"] = "application/json"
+          req.body = URI.encode_www_form(token_params)
+        end
+
+        handle_token_response(response)
+      end
+
+      # Refresh access token using refresh token
+      def refresh_tokens!
+        tokens = current_tokens
+        refresh_token = tokens&.dig(:refresh_token)
+        raise TokenExpiredError, "No refresh token available" unless refresh_token
+
+        token_params = {
+          grant_type: "refresh_token",
+          refresh_token: refresh_token,
+          client_id: client_id
+        }
+
+        response = @http_client.post(server_metadata[:token_endpoint]) do |req|
+          req.headers["Content-Type"] = "application/x-www-form-urlencoded"
+          req.headers["Accept"] = "application/json"
+          req.body = URI.encode_www_form(token_params)
+        end
+
+        handle_token_response(response)
+      end
+
+      # Clear stored tokens (logout)
+      def clear_tokens!
+        @storage.clear_tokens
+        @storage.clear_code_verifier if @storage.respond_to?(:clear_code_verifier)
+        log_debug("Cleared OAuth tokens and code verifier")
+      end
+
+      # Get client information for registration
+      def client_information
+        @storage.load_client_information
+      end
+
+      # Save client information after registration
+      def save_client_information(client_info)
+        @storage.save_client_information(client_info)
+      end
+
+      # Get authorization headers for HTTP requests
+      def authorization_headers
+        token = access_token
+        return {} unless token
+
+        { "Authorization" => "Bearer #{token}" }
+      end
+
+      private
+
+      def current_tokens
+        @storage.load_tokens
+      end
+
+      def save_tokens(tokens)
+        @storage.save_tokens(tokens)
+      end
+
+      def token_expired?(tokens)
+        expires_at = tokens[:expires_at]
+        return false unless expires_at
+
+        Time.at(expires_at) <= Time.now + 30 # 30 second buffer
+      end
+
+      def client_id
+        client_info = client_information
+        client_info&.dig(:client_id) || @client_metadata[:client_id]
+      end
+
+      def server_metadata
+        @server_metadata ||= fetch_server_metadata
+      end
+
+      def fetch_server_metadata
+        well_known_url = @authorization_server_url.dup
+        well_known_url.path = "/.well-known/oauth-authorization-server"
+
+        response = @http_client.get(well_known_url)
+        unless response.success?
+          raise AuthenticationError, "Failed to fetch server metadata: #{response.status}"
+        end
+
+        JSON.parse(response.body, symbolize_names: true)
+      end
+
+      def handle_token_response(response)
+        unless response.success?
+          error_body = JSON.parse(response.body) rescue {}
+          error_msg = error_body["error_description"] || error_body["error"] || "Token request failed"
+          raise AuthenticationError, "#{error_msg} (#{response.status})"
+        end
+
+        token_data = JSON.parse(response.body, symbolize_names: true)
+
+        # Calculate token expiration
+        if token_data[:expires_in]
+          token_data[:expires_at] = Time.now.to_i + token_data[:expires_in].to_i
+        end
+
+        save_tokens(token_data)
+        log_debug("OAuth tokens obtained successfully")
+        token_data
+      end
+
+      def build_url(base_url, params)
+        uri = URI(base_url)
+        uri.query = URI.encode_www_form(params)
+        uri.to_s
+      end
+
+      def build_http_client
+        Faraday.new do |f|
+          f.headers["User-Agent"] = "ActionMCP-OAuth/#{ActionMCP.gem_version}"
+          f.options.timeout = 30
+          f.options.open_timeout = 10
+          f.adapter :net_http
+        end
+      end
+
+      def default_client_metadata
+        {
+          client_name: "ActionMCP Client",
+          client_uri: "https://github.com/anthropics/action_mcp",
+          redirect_uris: [ @redirect_url.to_s ],
+          grant_types: [ "authorization_code", "refresh_token" ],
+          response_types: [ "code" ],
+          token_endpoint_auth_method: "none", # Public client
+          code_challenge_methods_supported: [ "S256" ]
+        }
+      end
+
+      def log_debug(message)
+        @logger.debug("[ActionMCP::OAuthClientProvider] #{message}")
+      end
+    end
+  end
+end

data/lib/action_mcp/client/streamable_http_transport.rb

@@ -15,9 +15,10 @@ module ActionMCP
 
       attr_reader :session_id, :last_event_id
 
-      def initialize(url, session_store:, session_id: nil, **options)
+      def initialize(url, session_store:, session_id: nil, oauth_provider: nil, **options)
         super(url, session_store: session_store, **options)
         @session_id = session_id
+        @oauth_provider = oauth_provider
         @last_event_id = nil
         @buffer = +""
         @current_event = nil
@@ -97,6 +98,7 @@ module ActionMCP
         }
         headers["mcp-session-id"] = @session_id if @session_id
         headers["Last-Event-ID"] = @last_event_id if @last_event_id
+        headers.merge!(oauth_headers)
         headers
       end
 
@@ -106,6 +108,7 @@ module ActionMCP
           "Accept" => "application/json, text/event-stream"
         }
         headers["mcp-session-id"] = @session_id if @session_id
+        headers.merge!(oauth_headers)
         headers
       end
 
@@ -190,6 +193,7 @@ module ActionMCP
           # Accepted - message received, no immediate response
           log_debug("Message accepted (202)")
         when 401
+          handle_authentication_error(response)
           raise AuthenticationError, "Authentication required"
         when 405
           # Method not allowed - server doesn't support this operation
@@ -283,6 +287,26 @@ module ActionMCP
         log_debug("Saved session state")
       end
 
+      def oauth_headers
+        return {} unless @oauth_provider&.authenticated?
+
+        @oauth_provider.authorization_headers
+      rescue StandardError => e
+        log_error("Failed to get OAuth headers: #{e.message}")
+        {}
+      end
+
+      def handle_authentication_error(response)
+        return unless @oauth_provider
+
+        # Check for OAuth challenge in WWW-Authenticate header
+        www_auth = response.headers["www-authenticate"]
+        if www_auth&.include?("Bearer")
+          log_debug("Received OAuth challenge, clearing tokens")
+          @oauth_provider.clear_tokens!
+        end
+      end
+
       def user_agent
         "ActionMCP-StreamableHTTP/#{ActionMCP.gem_version}"
       end

data/lib/action_mcp/client.rb

@@ -3,6 +3,7 @@
 require_relative "client/transport"
 require_relative "client/session_store"
 require_relative "client/streamable_http_transport"
+require_relative "client/oauth_client_provider"
 
 module ActionMCP
   # Creates a client appropriate for the given endpoint.
@@ -11,6 +12,7 @@ module ActionMCP
   # @param transport [Symbol] The transport type to use (:streamable_http, :sse for legacy)
   # @param session_store [Symbol] The session store type (:memory, :active_record)
   # @param session_id [String] Optional session ID for resuming connections
+  # @param oauth_provider [ActionMCP::Client::OauthClientProvider] Optional OAuth provider for authentication
   # @param logger [Logger] The logger to use. Default is Logger.new($stdout).
   # @param options [Hash] Additional options to pass to the client constructor.
   #
@@ -33,7 +35,18 @@ module ActionMCP
   #     "http://127.0.0.1:3001/action_mcp",
   #     session_store: :memory
   #   )
-  def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil, logger: Logger.new($stdout), **options)
+  #
+  # @example With OAuth authentication
+  #   oauth_provider = ActionMCP::Client::OauthClientProvider.new(
+  #     authorization_server_url: "https://oauth.example.com",
+  #     redirect_url: "http://localhost:3000/callback",
+  #     client_metadata: { client_name: "My App" }
+  #   )
+  #   client = ActionMCP.create_client(
+  #     "http://127.0.0.1:3001/action_mcp",
+  #     oauth_provider: oauth_provider
+  #   )
+  def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil, oauth_provider: nil, logger: Logger.new($stdout), **options)
     unless endpoint =~ %r{\Ahttps?://}
       raise ArgumentError, "Only HTTP(S) endpoints are supported. STDIO and other transports are not supported."
     end
@@ -42,7 +55,7 @@ module ActionMCP
     store = Client::SessionStoreFactory.create(session_store, **options)
 
     # Create transport
-    transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id, logger: logger, **options)
+    transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id, oauth_provider: oauth_provider, logger: logger, **options)
 
     logger.info("Creating #{transport} client for endpoint: #{endpoint}")
     # Pass session_id to the client

data/lib/action_mcp/configuration.rb

@@ -25,6 +25,9 @@ module ActionMCP
                   :logging_level,
                   :active_profile,
                   :profiles,
+                  # --- Authentication Options ---
+                  :authentication_methods,
+                  :oauth_config,
                   # --- Transport Options ---
                   :sse_heartbeat_interval,
                   :post_response_preference, # :json or :sse
@@ -36,9 +39,15 @@ module ActionMCP
                   :max_stored_sse_events,
                   # --- Gateway Options ---
                   :gateway_class,
-                  :current_class,
                   # --- Session Store Options ---
-                  :session_store_type
+                  :session_store_type,
+                  # --- Pub/Sub and Thread Pool Options ---
+                  :adapter,
+                  :min_threads,
+                  :max_threads,
+                  :max_queue,
+                  :polling_interval,
+                  :connects_to
 
     def initialize
       @logging_enabled = true
@@ -47,6 +56,11 @@ module ActionMCP
       @resources_subscribe = false
       @active_profile = :primary
       @profiles = default_profiles
+
+      # Authentication defaults
+      @authentication_methods = Rails.env.production? ? [ "jwt" ] : [ "none" ]
+      @oauth_config = {}
+
       @sse_heartbeat_interval = 30
       @post_response_preference = :json
       @protocol_version = "2025-03-26"
@@ -58,7 +72,6 @@ module ActionMCP
 
       # Gateway - default to ApplicationGateway if it exists, otherwise ActionMCP::Gateway
       @gateway_class = defined?(::ApplicationGateway) ? ::ApplicationGateway : ActionMCP::Gateway
-      @current_class = nil
 
       # Session Store
       @session_store_type = Rails.env.production? ? :active_record : :volatile
@@ -77,7 +90,7 @@ module ActionMCP
       ActionMCP.thread_profiles.value || @active_profile
     end
 
-    # Load custom profiles from Rails configuration
+    # Load custom configuration from Rails configuration
     def load_profiles
       # First load defaults from the gem
       @profiles = default_profiles
@@ -88,8 +101,23 @@ module ActionMCP
 
         raise "Invalid MCP config file" unless app_config.is_a?(Hash)
 
-        # Merge with defaults so user config overrides gem defaults
-        @profiles = app_config
+        # Extract authentication configuration if present
+        if app_config["authentication"]
+          @authentication_methods = Array(app_config["authentication"])
+        end
+
+        # Extract OAuth configuration if present
+        if app_config["oauth"]
+          @oauth_config = app_config["oauth"]
+        end
+
+        # Extract other top-level configuration settings
+        extract_top_level_settings(app_config)
+
+        # Extract profiles configuration
+        if app_config["profiles"]
+          @profiles = app_config["profiles"]
+        end
       rescue StandardError
         # If the config file doesn't exist in the Rails app, just use the defaults
         Rails.logger.debug "No MCP config found in Rails app, using defaults from gem"
@@ -197,6 +225,37 @@ module ActionMCP
       }
     end
 
+    def extract_top_level_settings(app_config)
+      # Extract adapter configuration
+      if app_config["adapter"]
+        # This will be handled by the pub/sub system, we just store it for now
+        @adapter = app_config["adapter"]
+      end
+
+      # Extract thread pool settings
+      if app_config["min_threads"]
+        @min_threads = app_config["min_threads"]
+      end
+
+      if app_config["max_threads"]
+        @max_threads = app_config["max_threads"]
+      end
+
+      if app_config["max_queue"]
+        @max_queue = app_config["max_queue"]
+      end
+
+      # Extract polling interval for solid_cable
+      if app_config["polling_interval"]
+        @polling_interval = app_config["polling_interval"]
+      end
+
+      # Extract connects_to setting
+      if app_config["connects_to"]
+        @connects_to = app_config["connects_to"]
+      end
+    end
+
     def should_include_all?(type)
       return false unless @profiles[active_profile]
 

data/lib/action_mcp/engine.rb

@@ -12,6 +12,7 @@ module ActionMCP
     ActiveSupport::Inflector.inflections(:en) do |inflect|
       inflect.acronym "SSE"
       inflect.acronym "MCP"
+      inflect.acronym "OAuth"
     end
 
     # Provide a configuration namespace for ActionMCP
@@ -28,6 +29,13 @@ module ActionMCP
       ActionMCP.configuration.load_profiles
     end
 
+    # Add OAuth middleware if OAuth is configured
+    initializer "action_mcp.oauth_middleware", after: "action_mcp.load_profiles" do
+      if ActionMCP.configuration.authentication_methods&.include?("oauth")
+        config.middleware.use ActionMCP::OAuth::Middleware
+      end
+    end
+
     # Configure autoloading for the mcp/tools directory
     initializer "action_mcp.autoloading", before: :set_autoload_paths do |app|
       mcp_path = app.root.join("app/mcp")